diff --git a/BytecodeViewer 2.7.0.jar b/BytecodeViewer 2.7.0.jar index ef5a6041..39603c86 100644 Binary files a/BytecodeViewer 2.7.0.jar and b/BytecodeViewer 2.7.0.jar differ diff --git a/README.txt b/README.txt index 775776b7..916f941a 100644 --- a/README.txt +++ b/README.txt @@ -14,8 +14,8 @@ Code from various projects has been used, including but not limited to: Procyon by Mstrobel CFR by Lee Benfield CFIDE by Bibl - Smali by JesusFreke - Dex2Jar by pxb1..? + Smali by JesusFreke + Dex2Jar by pxb1..? Contributors: Konloch diff --git a/src/the/bytecode/club/bytecodeviewer/BytecodeViewer.java b/src/the/bytecode/club/bytecodeviewer/BytecodeViewer.java index 1b940d81..85ad1da9 100644 --- a/src/the/bytecode/club/bytecodeviewer/BytecodeViewer.java +++ b/src/the/bytecode/club/bytecodeviewer/BytecodeViewer.java @@ -80,12 +80,8 @@ import the.bytecode.club.bytecodeviewer.plugins.PluginManager; * Option to make the bytecode pane automatically scroll to where the source code pane is * Replacing all string field calls with the string instance - would require EZ-Injection to run code? * Spiffy up the plugin console with red text optional, would require JTextPane, not JTextArea. - * Add robot to malware scanner * Add right click on tab > close other tabs > close this tab - * Try automatic insert return null for all runtime.exec methods via ASM3; //maybe just do AMS5 then obfuscate the dex2jar shit. - * - * Look at Desktop.getDesktop().open(); - * refine POC and just use sec man + * maybe just do AMS5 then obfuscate the dex2jar shit. * * ----Beta 1.0.0-----: * 10/4/2014 - Designed a POC GUI, still needs a lot of work. @@ -304,15 +300,12 @@ import the.bytecode.club.bytecodeviewer.plugins.PluginManager; * 01/16/2015 - Made EZ-Injection UI look a bit nicer. * 01/27/2015 - Decided to scrap the JVM Sandbox POC and use the Security Manager. * 01/27/2015 - BCV now blocks exec and won't allow any ports to be bound. + * 01/27/2015 - Added java.awt.Robot to the malicious code scanner. * * @author Konloch * */ -/** - * Store the inst object and original class bytes, then allow optional real time toggling? - */ - public class BytecodeViewer { public static MainViewerGUI viewer = null; diff --git a/src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java b/src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java index 99d3eafd..4f21237e 100644 --- a/src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java +++ b/src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java @@ -25,7 +25,7 @@ import java.awt.event.ActionEvent; public class MaliciousCodeScannerOptions extends JFrame { public MaliciousCodeScannerOptions() { this.setIconImages(BytecodeViewer.iconList); - setSize(new Dimension(250, 300)); + setSize(new Dimension(250, 323)); setResizable(false); setTitle("Malicious Code Scanner Options"); getContentPane().setLayout(null); @@ -38,11 +38,11 @@ public class MaliciousCodeScannerOptions extends JFrame { final JCheckBox chckbxJavanet = new JCheckBox("java/net"); chckbxJavanet.setSelected(true); - chckbxJavanet.setBounds(6, 59, 232, 23); + chckbxJavanet.setBounds(6, 81, 232, 23); getContentPane().add(chckbxJavanet); final JCheckBox chckbxJavaio = new JCheckBox("java/io"); - chckbxJavaio.setBounds(6, 85, 232, 23); + chckbxJavaio.setBounds(6, 104, 232, 23); getContentPane().add(chckbxJavaio); final JCheckBox chckbxJavalangruntime = new JCheckBox( @@ -54,48 +54,57 @@ public class MaliciousCodeScannerOptions extends JFrame { final JCheckBox chckbxLdcContainswww = new JCheckBox( "LDC contains 'www.'"); chckbxLdcContainswww.setSelected(true); - chckbxLdcContainswww.setBounds(6, 111, 232, 23); + chckbxLdcContainswww.setBounds(6, 130, 232, 23); getContentPane().add(chckbxLdcContainswww); final JCheckBox chckbxLdcContainshttp = new JCheckBox( "LDC contains 'http://'"); chckbxLdcContainshttp.setSelected(true); - chckbxLdcContainshttp.setBounds(6, 137, 232, 23); + chckbxLdcContainshttp.setBounds(6, 156, 232, 23); getContentPane().add(chckbxLdcContainshttp); final JCheckBox chckbxLdcContainshttps = new JCheckBox( "LDC contains 'https://'"); chckbxLdcContainshttps.setSelected(true); - chckbxLdcContainshttps.setBounds(6, 163, 232, 23); + chckbxLdcContainshttps.setBounds(6, 182, 232, 23); getContentPane().add(chckbxLdcContainshttps); final JCheckBox chckbxLdcMatchesIp = new JCheckBox( "LDC matches IP regex"); chckbxLdcMatchesIp.setSelected(true); - chckbxLdcMatchesIp.setBounds(6, 189, 232, 23); + chckbxLdcMatchesIp.setBounds(6, 208, 232, 23); getContentPane().add(chckbxLdcMatchesIp); final JCheckBox chckbxNullSecMan = new JCheckBox( "SecurityManager set to null"); chckbxNullSecMan.setSelected(true); - chckbxNullSecMan.setBounds(6, 215, 232, 23); + chckbxNullSecMan.setBounds(6, 234, 232, 23); getContentPane().add(chckbxNullSecMan); + + final JCheckBox chckbxJavaawtrobot = new JCheckBox("java/awt/Robot"); + chckbxJavaawtrobot.setSelected(true); + chckbxJavaawtrobot.setBounds(6, 59, 232, 23); + getContentPane().add(chckbxJavaawtrobot); JButton btnNewButton = new JButton("Start Scanning"); btnNewButton.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent arg0) { PluginManager.runPlugin(new MaliciousCodeScanner( chckbxJavalangreflection.isSelected(), - chckbxJavalangruntime.isSelected(), chckbxJavanet - .isSelected(), chckbxJavaio.isSelected(), + chckbxJavalangruntime.isSelected(), + chckbxJavanet.isSelected(), + chckbxJavaio.isSelected(), chckbxLdcContainswww.isSelected(), chckbxLdcContainshttp.isSelected(), - chckbxLdcContainshttps.isSelected(), chckbxLdcMatchesIp - .isSelected(), chckbxNullSecMan.isSelected())); + chckbxLdcContainshttps.isSelected(), + chckbxLdcMatchesIp.isSelected(), + chckbxNullSecMan.isSelected(), + chckbxJavaawtrobot.isSelected())); dispose(); } }); - btnNewButton.setBounds(6, 245, 232, 23); + + btnNewButton.setBounds(6, 264, 232, 23); getContentPane().add(btnNewButton); this.setLocationRelativeTo(null); } diff --git a/src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java b/src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java index b458a3a6..aeb8d170 100644 --- a/src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java +++ b/src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java @@ -28,11 +28,11 @@ import the.bytecode.club.bytecodeviewer.api.PluginConsole; public class MaliciousCodeScanner extends Plugin { - public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM; + public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM, ROB; public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net, boolean io, boolean www, boolean http, boolean https, boolean ip, - boolean nullSecMan) { + boolean nullSecMan, boolean robot) { ORE = reflect; ONE = net; ORU = runtime; @@ -42,6 +42,7 @@ public class MaliciousCodeScanner extends Plugin { LHS = https; LIP = ip; NSM = nullSecMan; + ROB = robot; } @Override @@ -59,6 +60,8 @@ public class MaliciousCodeScanner extends Plugin { || (LHS && s.contains("https://")) || (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java.lang.Runtime")) + || (ROB && s.contains("java.awt.Robot")) + || (ROB && s.contains("java/awt/Robot")) || (LIP && s .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) sb.append("Found LDC \"" + s + "\" at field " @@ -73,6 +76,8 @@ public class MaliciousCodeScanner extends Plugin { || (LHS && s.contains("https://")) || (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java.lang.Runtime")) + || (ROB && s.contains("java.awt.Robot")) + || (ROB && s.contains("java/awt/Robot")) || (LIP && s .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) sb.append("Found LDC \"" + s + "\" at field " @@ -93,8 +98,8 @@ public class MaliciousCodeScanner extends Plugin { final MethodInsnNode min = (MethodInsnNode) a; if ((ORE && min.owner.startsWith("java/lang/reflect")) || (ONE && min.owner.startsWith("java/net")) - || (ORU && min.owner - .equals("java/lang/Runtime")) + || (ORU && min.owner.equals("java/lang/Runtime")) + || (ROB && min.owner.equals("java/awt/Robot")) || (OIO && min.owner.startsWith("java/io"))) { sb.append("Found Method call to " + min.owner + "." + min.name + "(" + min.desc + ") at " @@ -110,6 +115,8 @@ public class MaliciousCodeScanner extends Plugin { || (LHS && s.contains("https://")) || (ORE && s.contains("java/lang/Runtime")) || (ORE && s.contains("java.lang.Runtime")) + || (ROB && s.contains("java.awt.Robot")) + || (ROB && s.contains("java/awt/Robot")) || (LIP && s .matches("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"))) { sb.append("Found LDC \"" + s + "\" at method "